Easy VPN connection with remote side behind NAT device

Unanswered Question
Marwan ALshawi Thu, 08/07/2008 - 06:24

try to issue the following comman

no crypto dynamic-map outside_dyn_map 20 set nat-t-disable

shanevolpe Thu, 10/02/2008 - 06:43

I'm trying to do the same thing you are: Establishing a VPN using the ASA5505 when it is behind a NAT. Did you have to open/forward any ports from the NAT device to the ASA5505 to get the VPN connection working?

Marwan ALshawi Thu, 10/02/2008 - 06:50

if u case like

internet---nat device--ASA--internal

and the vpn on the ASA

u need first static nat or portforward from the nat device to the ASA

u need the folling ports opned and nated staticly


udp 500

and mybe udp 4500

to get the tunnel established

if helpful Rate

singhsaju Fri, 10/03/2008 - 09:13


Can you enable NAT-T globally on both end ASAs and then check .

"isakmp nat-traversal 20 "


When NAT-T is enabled , the ESP packets,(which actually vcarries data payload) which gets blocked by PAT/NAT, gets encapsulated in UDP 4500 packets and since it now has ports it can easily pass through PAT.



Pls rate helpful posts


This Discussion